What are best practices in terms of security when a frontend, let's say angular or react connect to RabbitMQ via stomp?
My concern is that stomp credentials can be easily read when the stomp frame "CONNECT" is sent to the server.
Related
I am currently building an application.
My front end is developed using React and Axios (for API call requests). It is served directly by vercel on mydomain.com
My back end is developed using Django and Django Rest. It is served with apache2 on api.mydomain.com. It only serves API endpoints.
So the front-end and back-end are separated.
I would like to return the entire data in encrypted form as an API response and then wants to decrypt it in the frontend app(react)
Do you have any idea of what I could do to achieve this?
Thanks a lot in advance for your answers.
Thats such an interesting question.
If you want encryption, I think you should look into SSL encryption (using https instead of http). SSL encrypts the data between client and server. You would still need to make API endpoints inaccessible to unauthorised users.
There is a great article about securing Django API by using JWT tokens.
You can set up a login endoint that would retrieve the tokens from Django upon successful login.
These tokens can then be used by React to access the secure Django endpoints. As an additional layer of security, you could make these tokens short lived, in the unlikely case someone intercepts the tokens, they will expire and the hacker will lose access to your API.
SSL + JWT tokens should address your needs :)
I'm new in the back-end world and I'm trying to create an admin backoffice with React-Admin, except that I have trouble choosing the dataProvider.
I have a MySQL Express API, which I developed locally so I use Simple REST Data Provider, but it doesn't support HTTPS protocol?
I try to put in production my back-office linked to my api in https://___.org but I have "a communication error with the server".
Isn't it not advisable to use http for such sensitive requests? How can I make requests to my API in a secure way while remaining in harmony with React-Admin?
I understand that React app is only client side application running in the client browser.
However I have the backend with REST API I need to consume, and the API in under mutual TLS (https), so I need client certificate in order to be able to authenticate and get something from the backend.
But the issue is that the React Front End is running locally in the browser so I do not know how it could be possible to securely store certificate and its private key, if it is even possible.
I was trying to google approach and it seems that the React app cannot consume services which require client certificate for authentication, and there should be at least another backend as proxy, which will be handling both parts, with the React client, and the REST API backend. This proxy can be configured with the certificate and private key and user would not have access to it.
But it requires another component as proxy.
I can also put the React app behind proxy like Apache and setup the mutual client certificate based authentication, however this can help me to identify user inside the React app, not to securely establish mutually authenticated channel with the REST API backend.
It seems that WebAuthN could be the way, however it seems to be designed only for authentication, not the SSL/TLS.
What should be the correct approach? Is it possible to do it with React based app, or this technology is not suitable in that case?
I did research on the same topic, the only solution that I found is to store the certificate on the api and request the certificate using AXIOS.
On the api level you need to test from where the request is coming from and only serve the certificate if the request comes from an authorized IP (your front end).
I couldn't find any other solution.
I have some questions about the login process in LoopBack 3 and modern SPA
The access token generated from users/login is JWT?
How to properly (safely) store a token generated from users/login on the modern SPA side? Just save them in localStorage or Cookies and after reading, attach them to API queries?
The accessToken generated by Loopback is not a JWT. It does not contain encrypted user data.
You could store it as a cookie on the browser and attach it to subsequent API queries.
Usually I use Redis to store my accesstokens so that the server can be stateless. This is a better solution if you have autoscaling configured.
I'm developing an application on angular and spring. And I'm a little bit confused on stateless backend being secure. Here's the flow -
In request header I send email and pass base64 encoded server returns a cookie which has the jwt token
Since it's an http only and secure flag cookie client side has nothing to do with it. On each request to the server it gets attached to the request header.
To get deeper knowledge about user activity , I use mouse-enter, mouseleave functions which post the activity in the db.
I'm protecting my app against csrf by sending a client side token
I'm not quite sure if it's secure enough and if I really need to store any token or cookie related data for security.
People seem to be skeptic on securing stateless backends. For example, the official Spring Angular guide quotes:
It very definitely is a Good Thing to use the session for authentication and CSRF protection
This presentation by Rob Winch, the project lead of Spring Security, is also a gem to watch: The State of Securing RESTful APIs with Spring
In fact, looking at these, I concluded to remain stateful for my APIs, and not to re-invent the sensitive Security wheel unnecessarily.